Tuesday, July 7, 2015

Linux Full Disk Encryption


Linux Full Disk Encryption On Ubuntu 14.04 LTS

The full disk encryption typically used in Linux is DM-Crypt with LUKS. DM-Crypt is essentially cryptographic system for block devices that uses device mapper. More information on DM-Crypt can be found here. LUKS is the Linux Unified Key Setup and is a specification for key management. More can be found here.

The setup that will be described in this post will use DM-Crypt and LUKS via the cryptsetup utility. Also Ecryptfs and LVM will be used.

First the disk layout should be defined. For this setup there will be a single removable disk and a standard hard drive. The removable disk can be a USB drive or some other writable storage device that can be used to boot from.

The following represents the encryption layout that will be used.





Boot Ubuntu live disc in Try Mode.
Start two terminals.
In one terminal identify the disk for encryption and the disk for /boot
Prepare the encrypted disk by filling it with pseudo-random data.

sudo dd if=/dev/urandom of=/dev/sda bs=512;

Once complete, create the encrypted disk.

sudo cryptsetup -c aes-xts-plain64 --hash sha512 --key-size 512 luksFormat /dev/sda;

Open the encrypted disk.

sudo cryptsetup open –type luks /dev/sda lvm;



Create the LVM volumes.

sudo pvcreate /dev/mapper/lvm;
sudo vgcreate system /dev/mapper/lvm;
sudo lvcreate -L 10G -n rootvol system;
sudo lvcreate -L 2048M -n swapvol system;
sudo lvcreate -l 100%FREE -n homevol system;




Create partition table for boot disk.

sudo fdisk /dev/sdb;
n, p, 1, <enter>, <enter>, w




Make the file systems.

sudo mkfs.ext4 /dev/mapper/system-rootvol;
sudo mkfs.ext4 /dev/mapper/system-homevol;
sudo mkfs.ext2 /dev/sdb1;
sudo mkswap /dev/mapper/system-swapvol;



Run the installer and use the “something else” disk option.
Set the boot disk as “/dev/sdb” and assign the mountpoints to the corresponding partitions and volumes.
At the user creation section. Do not select encrypt home directory.
Once the install is finished; Continue “testing”.





At this point we will configure the new OS to use the encrypted disk and encrypt the user's home directory.

Mount volumes, partitions, and other FS for chroot.

sudo mount /dev/mapper/system-rootvol /mnt;
sudo mount /dev/mapper/system-homevol /mnt/home;
sudo mount /dev/sdb1 /mnt/boot;
sudo mount –bind /dev /mnt/dev;
sudo mount –bind /proc /mnt/proc;
sudo mount –bind /sys /mnt/sys;
sudo swapon /dev/mapper/system-swapvol;
blkid;



In the second terminal we will chroot into the newly installed OS and configure it to boot using the encrypted disk.

sudo chroot /mnt;
ecryptfs-migrate-home -u user;
vi /etc/crypttab;
     “lvm UUID=<ID from blkid of the encrypted disk, crypto_LUKS> none luks,discard”
     save and exit
vi /etc/initiramfs-tools/conf.d/resume;
     “RESUME=/dev/mapper/system-swapvol”
     save and exit
update-initramfs -u -k all -c -v;
exit;








Unmount the /mnt mount points from terminal one and remove swap.

sudo umount /mnt/home /mnt/boot /mnt/dev /mnt/proc /mnt/sys /mnt;
sudo swapoff /dev/mapper/system-swapvol;


Reboot into the newly installed Ubuntu OS.